CVE-2010-0736

ViewVC <1.0.10, <1.1.4 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input."

References (4)

[Various Sources] http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313&r2=2342&pathrev=HEAD

[Patch] http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2326

[Patch] http://www.openwall.com/lists/oss-security/2010/03/10/8

[Patch] http://www.openwall.com/lists/oss-security/2010/03/16/14

Scores

EPSS 0.0026

EPSS Percentile 48.7%

Classification

CWE

CWE-79

Status published

Affected Products (14)

viewvc/viewvc < 1.0.9

viewvc/viewvc

n/a/n/a

Timeline

Published Mar 19, 2010

Tracked Since Feb 18, 2026